A recent decision by the Austrian Supervisory Authority (SA) has found a website operator to have violated its post-Schrems II data transfer obligations, and potentially marks the beginning of similar enforcement action across Europe.
In December 2021, the Austrian SA found that a website which used the free version of Google Analytics was in breach of the GDPR's data transfer rules. Specifically, it found that Google's use of Standard Contractual Clauses and supplementary measures did not ensure that personal data transferred from Europe to the US was provided with an adequate level of protection. Consequently, the website operator, as data exporter, was found to have violated its data transfer obligations under the GDPR.
This has potentially significant implications for organisations. According to the Austrian decision, the website owner, as data exporter, remains responsible for complying with data transfer obligations. Such obligations present a potentially high bar for compliance.
In this case, the website operator had used a service that implemented numerous supplementary measures (including encryption, anonymisation and pseudonymisation, and "careful examination(s) of every data access request" received by the US authorities) and was still found to have provided an insufficient level of protection over personal data.
The question remains as to what measures will then be deemed to be adequate to close the gap between the website operator and Schrems II compliance.